Ansible on MikroTik RouterOS 7 Automation Complete Guide
By Luca Berton · Published 2024-01-01 · Category: installation
Automate MikroTik RouterOS 7 with Ansible: community.routeros collection, REST API, firewall, OSPF/BGP, WireGuard, CAPsMAN, configuration backup.
MikroTik RouterOS 7 is the modern release line for MikroTik routers and switches. It introduces a Linux-based kernel, WireGuard, IPv6-first BGP/OSPF, container support, and the REST API alongside the classic API. Ansible's community.routeros collection drives full automation: firewall rules, addresses, OSPF/BGP, WireGuard peers, CAPsMAN access points, and configuration backup.
RouterOS 7 release facts
| Item | Value | |---|---| | Major | 7.x (current 7.18) | | Programmability | API (8728/8729), REST API (HTTPS), Winbox, SSH | | New features | WireGuard, container, ROSE-STORAGE, IPv6 enhancements | | Default firewall | RouterOS firewall (filter, raw, mangle, NAT) |
See also: community.routeros 3.18.0 — New Feature for API Modify Module
Ansible-core compatibility
Use ansible-core 2.18 LTS with community.routeros >= 3.0.
Inventory
[mikrotik]
hap-ax3 ansible_host=192.168.88.1
ccr2004 ansible_host=10.0.0.1
[mikrotik:vars]
ansible_connection=community.routeros.api
ansible_user=admin
ansible_password='{{ vault_mikrotik_password }}'
ansible_routeros_api_port=8729
ansible_routeros_api_tls=true
See also: Automate Mikrotik RouterOS Config Backups with Ansible
Backup configuration
- name: Backup RouterOS configs
hosts: mikrotik
gather_facts: false
tasks:
- name: Export full config
community.routeros.command:
commands:
- /export
- name: Fetch /export to control node
community.routeros.command:
commands:
- "/system backup save name={{ inventory_hostname }}-{{ ansible_date_time.iso8601_basic_short }}"
Firewall rules
- name: Configure firewall on RouterOS
hosts: mikrotik
gather_facts: false
tasks:
- name: Allow established+related on input
community.routeros.api_modify:
path: "/ip firewall filter"
data:
- chain: input
action: accept
connection-state: "established,related"
- name: Allow ICMP
community.routeros.api_modify:
path: "/ip firewall filter"
data:
- chain: input
action: accept
protocol: icmp
- name: Drop everything else on input
community.routeros.api_modify:
path: "/ip firewall filter"
data:
- chain: input
action: drop
comment: "default drop"
See also: Ansible AWS: Complete Guide to Cloud Automation (2026)
WireGuard peer
- name: Configure WireGuard
hosts: mikrotik
gather_facts: false
tasks:
- name: Create wg0 interface
community.routeros.api_modify:
path: "/interface/wireguard"
data:
- name: wg0
listen-port: 51820
private-key: "{{ vault_wg_private_key }}"
- name: Add peer
community.routeros.api_modify:
path: "/interface/wireguard/peers"
data:
- interface: wg0
public-key: "{{ peer_public_key }}"
allowed-address: 10.99.0.2/32
endpoint-address: peer.example.com
endpoint-port: 51820
persistent-keepalive: 25s
OSPFv3
- name: OSPFv3 instance
hosts: mikrotik
gather_facts: false
tasks:
- name: Instance
community.routeros.api_modify:
path: "/routing/ospf/instance"
data:
- name: default
router-id: "{{ rid }}"
version: 3
- name: Area
community.routeros.api_modify:
path: "/routing/ospf/area"
data:
- name: backbone
area-id: 0.0.0.0
instance: default
CAPsMAN access points
- name: Push CAPsMAN baseline
hosts: mikrotik_controller
gather_facts: false
tasks:
- name: Configuration profile
community.routeros.api_modify:
path: "/caps-man/configuration"
data:
- name: corp-wifi
ssid: CorpWiFi
datapath: corp-dp
security: corp-secBest practices
• Use the API/REST API transport over SSH for structured, idempotent changes. • Keepcommunity.routeros.api_modify calls scoped by find_filter to avoid duplicating rules.
• Backup before every change; RouterOS does not have transactional commits.
• Pin RouterOS firmware version with the community.routeros.system_routerboard upgrade flow.
Conclusion
RouterOS 7 + community.routeros brings MikroTik fleets into the Ansible-driven NetOps world. Use the API transport, idempotent api_modify, and rigorous backup discipline to manage large MikroTik deployments declaratively.
Connecting Ansible to MikroTik
# inventory.ini
[mikrotik]
router1 ansible_host=192.168.88.1
[mikrotik:vars]
ansible_connection=ansible.netcommon.network_cli
ansible_network_os=community.routeros.routeros
ansible_user=admin
ansible_password="{{ vault_mikrotik_password }}"
Common RouterOS Tasks
- name: Manage MikroTik RouterOS
hosts: mikrotik
gather_facts: false
tasks:
- name: Get system identity
community.routeros.command:
commands:
- /system identity print
register: identity
- name: Show identity
ansible.builtin.debug:
msg: "{{ identity.stdout_lines }}"
- name: Configure DNS
community.routeros.command:
commands:
- /ip dns set servers=8.8.8.8,1.1.1.1
- name: Add firewall rule
community.routeros.command:
commands:
- /ip firewall filter add chain=input protocol=tcp dst-port=22 action=accept comment="Allow SSH"
- name: Create backup
community.routeros.command:
commands:
- /system backup save name=ansible-backup
RouterOS API Module
- name: Configure via API
community.routeros.api:
hostname: "{{ ansible_host }}"
username: "{{ ansible_user }}"
password: "{{ ansible_password }}"
path: ip address
add:
address: "10.0.0.1/24"
interface: ether2FAQ
Which Ansible collection do I need for MikroTik?
Install community.routeros: ansible-galaxy collection install community.routeros. It supports both SSH CLI and RouterOS API connections.
Does Ansible support RouterOS 7 specifically?
Yes. The community.routeros collection supports both RouterOS 6 and 7. Some command syntax differs between versions — always test on your target version.
Can I back up and restore MikroTik configurations with Ansible?
Yes. Use /system backup save for binary backups and /export for text-based configuration exports. Store exports in version control for configuration-as-code.
Category: installation